How to perform a check
note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale.
Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.
Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.
Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.
This section will illustrate how to perform a check request to determine whether a user has a certain relationship with an object.
Before you start
- Node.js
- Go
- .NET
- curl
- You have obtained the environment, store id, client id and client secret.
- You have installed the SDK.
- You have configured the authorization model and updated the relationship tuples.
- You have loaded
FGA_ENVIRONMENT
,FGA_STORE_ID
,FGA_CLIENT_ID
andFGA_CLIENT_SECRET
as environment variables.
- You have obtained the environment, store id, client id and client secret.
- You have installed the SDK.
- You have configured the authorization model and updated the relationship tuples.
- You have loaded
FGA_ENVIRONMENT
,FGA_STORE_ID
,FGA_CLIENT_ID
andFGA_CLIENT_SECRET
as environment variables.
- You have obtained the environment, store id, client id and client secret.
- You have installed the SDK.
- You have configured the authorization model and updated the relationship tuples.
- You have loaded
FGA_ENVIRONMENT
,FGA_STORE_ID
,FGA_CLIENT_ID
andFGA_CLIENT_SECRET
as environment variables.
- You have obtained the environment, store id, client id and client secret.
- You have configured the authorization model and updated the relationship tuples.
- You have loaded
FGA_ENVIRONMENT
,FGA_BEARER_TOKEN
andFGA_STORE_ID
as environment variables.
Step by Step
Assume that you want to check whether user anne
has relationship reader
with object document:Z
01. Configure the Auth0 FGA API client
Before calling the check API, you will need to configure the API client.
- Node.js
- Go
- .NET
- curl
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');
// Initialize the SDK
const fgaClient = new Auth0FgaApi({
environment: process.env.FGA_ENVIRONMENT,
storeId: process.env.FGA_STORE_ID,
clientId: process.env.FGA_CLIENT_ID,
clientSecret: process.env.FGA_CLIENT_SECRET,
});
import (
fgaSdk "github.com/auth0-lab/fga-go-sdk"
"os"
)
func Main() {
configuration, err := fgaSdk.NewConfiguration(fgaSdk.UserConfiguration{
Environment: os.Getenv("FGA_ENVIRONMENT"),
StoreId: os.Getenv("FGA_STORE_ID"),
ClientId: os.Getenv("FGA_CLIENT_ID"),
ClientSecret: os.Getenv("FGA_CLIENT_SECRET"),
})
if err != nil {
// .. Handle error
}
fgaClient := fgaSdk.NewAPIClient(configuration)
}
// import the SDK
using Auth0.Fga.Api;
using Auth0.Fga.Configuration;
using Environment = System.Environment;
namespace ExampleApp;
class MyProgram {
static async Task Main() {
var storeId = Environment.GetEnvironmentVariable("FGA_STORE_ID");
var environment = Environment.GetEnvironmentVariable("FGA_ENVIRONMENT")
var configuration = new Configuration(storeId, environment) {
ClientId = Environment.GetEnvironmentVariable("FGA_CLIENT_ID"),
ClientSecret = Environment.GetEnvironmentVariable("FGA_CLIENT_SECRET"),
};
var fgaClient = new Auth0FgaApi(configuration);
}
}
To obtain the access token:
# Not needed when calling the Playground API
curl -X POST \
https://fga.us.auth0.com/oauth/token \
-H 'content-type: application/json' \
-d '{"client_id":"'$FGA_CLIENT_ID'","client_secret":"'$FGA_CLIENT_SECRET'","audience":"https://api.us1.fga.dev/","grant_type":"client_credentials"}'
# The response will be returned in the form
# {
# "access_token": "eyJ...Ggg",
# "expires_in": 86400,
# "scope": "read:tuples write:tuples check:tuples ... write:authorization-models",
# "token_type": "Bearer"
# }
# Store this `access_token` value in environment variable `FGA_BEARER_TOKEN`
# For non-playground environment
FGA_API_URL='https://api.us1.fga.dev'
# For playground environment
# FGA_API_URL='https://api.playground.fga.dev'
02. Calling Check API
To check whether user anne
has relationship reader
with object document:Z
- Node.js
- Go
- .NET
- curl
// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'reader',
object: 'document:Z',
},});
// allowed = true
body := fgaSdk.CheckRequestParams{
TupleKey: &fgaSdk.TupleKey{
User: fgaSdk.PtrString("anne"),
Relation: fgaSdk.PtrString("reader"),
Object: fgaSdk.PtrString("document:Z"),
},
data, response, err := fgaClient.Auth0FgaApi.Check(context.Background()).Body(body).Execute()
// data = { allowed: true }
// Run a check
var response = await fgaClient.Check(new CheckRequestParams(new TupleKey {
User = "anne",
Relation = "reader",
Object = "document:Z"
});
// response.Allowed = true
curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/check \
-H "Authorization: Bearer $FGA_BEARER_TOKEN" \ # Not needed if service does not require authorization
-H "content-type: application/json" \
-d '{"tuple_key":{"user":"anne","relation":"reader","object":"document:Z"}}'
# Response: {"allowed":true}
The result's allowed
field will return true
if the relationship exists and false
if the relationship does not exist.